Why HTTPS filtering exclusions in SSL rules do not work when Proxy intercepts HTTPS connections transparently ?

If you using SSL rules  with remote Web server or domains objects,  the proxy did not understand your rule an decrypt SSL connections when using transparent mode.

If your proxy is configured to transparently intercept and decrypt HTTPS connections, then HTTPS domain name exclusions cannot be used.
The reason for this is simple – domain name is not available at the time when proxy need to decide whether to decrypt the HTTPS connection or not.
Only IP addresses of client and server are available. Domain name becomes available only after HTTPS decryption.

In order to exclude sites from HTTPS decryption you must use SSL SNI Proxy object in order to skip connections according domains in certificate.

On the other hand, if your browser is using Proxy as explicit proxy, HTTPS exclusions work as expected because in this case browser first establishes SSL tunnel to the remote domain and Proxy service has enough information to skip HTTPS decryption.

Leave a comment